Building Effective Security Awareness in Your Organization

Building Effective Security Awareness in Your Organization

In today's rapidly evolving technological landscape, security awareness is paramount. While technology improves, so do the tactics of bad actors. A robust security awareness program is essential for any organization to ensure that users understand and fulfill their information security responsibilities. This begins with clear policies and procedures, but must extend to continuous education and engagement. Effective security awareness empowers employees to recognize threats, protects valuable information assets, and fosters a strong security culture within the organization.

Key points emphasized:

  • Continuous nature of security awareness
  • Importance of user understanding and accountability
  • Link between awareness and asset protection
  • Fostering a security-minded culture

As technology evolves, so does the need for security. Peltier (2013) aptly describes how security technology is constantly improving, making our jobs easier. However, the challenge remains: bad actors persist in causing issues, regardless of the new security measures introduced. This underscores the importance of a continuous cycle of security awareness, encompassing a range of activities and approaches at all levels of the organization.

At the heart of an effective information security program lies the work of the security team. They develop security policies, standards, procedures, and guidelines, as outlined by Peltier (2001).  These are the foundations upon which our security architecture is built. However, it's crucial to note that these measures can become less effective if there's no process to ensure that employees know their rights and responsibilities.

Security professionals often implement the perfect security program as described by Peltier (2001) but then don't follow through to include the personnel in the formula. To become as successful as possible, an information security professional must define a way to sell the security architecture to the customers. An effective security awareness program can be the most cost-effective action the management team can approve to safeguard critical information assets, as Peltier (2001) points out. Executing an effective security awareness program assists the employees in understanding why information security is to be taken seriously, what employees gain from implementing a security program, and how the security program will assist them in finishing their tasks. The process should begin with new employee orientation and continue annually for all employees at all levels of the organization.

Our organization has a few avenues of awareness. As part of the onboarding process, a security representative discusses the security policies, standards, and procedures in place and where to find them on the wiki. The Human Resources Department provides annual training classes that must be completed throughout the year for security and other education needed by contractors of the Department of Defense. The security team sends out a periodic fishing email to remind, and if caught, team members have to go to refresher classes to see and identify possible fishing emails.  The last thing that happens annually is an awareness campaign during National Cyber Security Awareness Month; the security team puts up awareness posters, the monthly speaker talks about cybersecurity issues, and the cyber security team runs typically a free phone check to recommend security tips for one mobile phone. Lastly, they send out regular reminders on what to and not to post on social media and how to remove unwanted information about one's self on sites such as or


Peltier, T. R. (2001). Information Security Policies, Procedures, and Standards. London: CRC Press. Retrieved from

Peltier, T. R. (2013). Information Security Fundamentals, Second Edition, 2nd Edition. Retrieved from

Posts in this series